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MEETING VULNERABILITY SCANNING 
REQUIREMENTS FOR PCI 


PCI is shorthand for the Payment Card Industry Data Security Standard (PCI-DSS) - a comprehensive set of 
information security requirements originally developed by MasterCard and Visa to protect personal and financial 
data about cardholders. PCI affects the network and IT operations of all organizations that store, process or 
transmit credit cardholder data, including retail stores, toll-free sales catalogs, online merchants and back-room 
service providers. 


«6 More than 50% of all PC! Approved Scanning Vendors (ASVs) and Qualified 
Security Assessors (QSAs) use QualysGuard for vulnerability scanning. 77 


During the last few years, an unprecedented number of exposures or losses of personal financial data by some of 
these organizations have triggered calls for strict regulation. The credit card industry is stepping up efforts to 
strengthen cardholder data security by raising member validation requirements for compliance with PCI. The 
current released PCI standard (version 1.1) has six categories and 12 requirements for security controls. Of those, 
Qualys provides the leading vulnerability scanning solution for Requirement 11, the regular testing of security 
systems and processes. 


Testing Security Is Critical for Protecting Cardholder Data 


At most, organizations with untested systems can only hope that nothing bad happens to cardholder data. 
Continuous, systematic vulnerability assessment is the only way to measure security, maximize protection, and 
achieve compliance with PCI. Regular, on-going vulnerability management provides actionable information in 
order to identify and fix security risks proactively. As highlighted in PCI Requirement 11: “Vulnerabilities are 
being discovered continually by hackers and researchers, and being introduced by new software. Systems, 
processes and custom software should be tested frequently to ensure security is maintained over time and with 
any changes in software.” 


PCI Standard Requires Vulnerability Scanning 
Per Requirement 11.2 of the PCI Data Security Standard (DSS): 


Run internal and external network vulnerability scans at least quarterly and after any significant change 
in the network (such as new system component installations, changes in network topology, firewall rule 
modifications, product upgrades). 


Quarterly external vulnerability scans must be performed by a scan vendor qualified by the payment card 
industry. Scans conducted after network changes may be performed by the company’s internal staff. 
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GG With Tribune’s distributed The Need for Internal and External Scans 
organizational structure and The PCI DSS requirements specify the need for both internal and external scans 
heterogeneous environment, for validation. An internal scan assesses security inside the firewalled perimeter 
we needed a rapid and eco- of a company’s network. The purpose is to test vectors that could be susceptible 


to attacks originating from inside the network. An external scan assesses 
security of all Internet-facing hosts that could be vulnerable to attacks that 
originate from outside the network. 

Both types of vulnerability scans are important to accurately measure 
network security, and to gather data that is instrumental for rapid remediation of 
any discovered weaknesses. For purposes of compliance with PCI DSS reporting 
Chief Information Officer standards, organizations must report verifiable results of vulnerability scanning 
Sue nee eect te once a quarter for their network perimeter audits. Those scans must be 
completed by a qualified scan vendor. Companies must also do internal 
vulnerability scans once a quarter (or more frequently as suggested), but are only 
required to report results of external scans at this time. 


nomical way to scan for and 
eliminate server vulnerabilities. 
QualysGuard is helping us ver- 
ify the PCI compliance of our 
IT infrastructure. 99 


MERCHANT & SERVICE PROVIDER LEVELS & VALIDATION ACTIONS 


LEVEL ` CRITERIA : ON-SITE SECURITY SELF-ASSESSMENT : NETWORK SCAN 


AUDIT QUESTIONNAIRE 


1 : = Any merchant, regardless of acceptance channel, : Required Annually* : : Required Quarterly 
: processing more than 6 million transactions per year : : : 
— Any merchant that suffered a security breach, resulting 
in an account compromise 


T i 

Z 2 : — Any merchant processing between 150,000 to : : Required Annually : Required Quarterly 

BE 6 million transactions per year : : ; © 

o : : ; 

ac besereerrorrrorsesi : NEE DESL ELEN SUCRE ET ESTEE ETE EDEN EE TERT EEN EN NEED EDEL DEE HEEE EEEE EEEE AEA à weet eee Cee ei E eee eraser ieee ee carer eee eee er eee : POO G et tre oe Cotter ener he ee EEVEE ee cre c coer eee cece ce Cee eee reer cress! 

S 3 : = Any merchant processing between 20,000 to : : Required Annually : Required Quarterly 
150,000 transactions per year i : ; 

4 : -— All other merchants not in Levels 1, 2, or 3, : : Required Annually : Required Quarterly 

regardless of acceptance channel : i 

Pe 1 : — All processors and all payment gateways i Required Annually* : l Required Quarterly 

3 2 - Any service provider that is not in Level 1 and stores, : Required Annually* : : Required Quarterly 

i processes or transmits more than 1 million accounts/ : : : 

a transactions annually 

ee LL TT TE eT a aE LD LTT TE 

> 3 :  — Any service provider that is not in Level 1 and stores, : : Required Annually : Required Quarterly 

= processes or transmits less than 1 million accounts/ : : 

n transactions annually 


*On-Site Security Audits may be conducted through Qualys PCI Consulting Partners - http://www.qualys.com/partners/pci 


© = Requirement met by QualysGuard 
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Qualys Solutions for PCI 
Compliance 


e QualysGuard PCI 
Subset of other QualysGuard services 
that meets requirements for documenting 
external perimeter scans and submit- 
ting a self-assessment questionnaire. 


e QualysGuard Express 
Supports full vulnerability management 
capabilities in addition to external and 
internal scans/reporting for PCI in 
small-to-medium sized companies. 


e QualysGuard Enterprise 
Supports full vulnerability management 
capabilities in addition to external and 
internal scan/reporting for PCI in large 
companies. 


Other Testing Requirements for PCI Validation 


Individual payment card brands set additional requirements for PCI validation. 
For example, MasterCard’s Site Data Protection Plan and Visa’s Cardholder 
Information Security Program stipulate separate compliance validation require- 
ments for merchants and service providers. These vary depending on the size 
of company and annual transaction volume (see chart, above). Requirements 
include: 


Annual On-Site Security Audit — The largest companies must have a yearly 
on-site compliance assessment performed by a certified third-party auditor. 


Annual Self-Assessment Questionnaire -In lieu of an on-site audit, smaller 
companies must complete a yearly self-assessment questionnaire. QualysGuard 
automates and simplifies this requirement online. 


Quarterly Network Scans - These are required of all companies and to be 
conducted by a certified third-party ASV or QSA. Companies may use the 
QualysGuard application (directly or via a Qualys partner) to meet this requirement. 
All 65,535 ports on external networks must be scanned, all vulnerabilities 
detected and any level-3 through level-5 severity vulnerabilities must be remediated. 
Two reports must be issued in accordance with this testing — a technical 
report detailing all vulnerabilities identified with solutions for remediation; also 
an executive summary report with a PCl-approved compliance statement 
suitable for submission to acquiring banks for validation. 


To learn more about PCI Compliance and Qualys’ solutions, visit: 
http://www.qualys.com/solutions/pci_compliance/ 
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